[exim] SSL Anomoly? or config error?

Top Page
Delete this message
Reply to this message
Author: Hill Ruyter
Date:  
To: exim-users
Subject: [exim] SSL Anomoly? or config error?
Hi

I have a strange situation with regards to SSL on my server

It is probably a configuration issue but I cannot see where


If I send e-mail (using outlook express) from a machine on the same subnet
as the server
I get an error telling me that SSL is not supported and I have had to
configure the two clients without SSL for SMTP

However I have just checked remotely and from a client elsewhere on the net
I can successfully send e-mail with SSH configured for SMTP

Now although i know there is minimal risk from using clear text passwords on
the local LAN I had hoped to configure the server to ONLY allow SSL
connections when plain password is used to authenticate (I believe this is
possible)
I do not however want to do this if it is going to break the local clients

I have included the TLS Options section and the Authenticators from my
config if this helps



Kind Regards

Hill

### main/03_exim4-config_tlsoptions
#################################

# TLS/SSL configuration.
# See /usr/share/doc/exim4-base/README.Debian.gz for explanations.


.ifdef MAIN_TLS_ENABLE
# Defines what hosts to 'advertise' STARTTLS functionality to. The
# default, *, will advertise to all hosts that connect with EHLO.
.ifndef MAIN_TLS_ADVERTISE_HOSTS
MAIN_TLS_ADVERTISE_HOSTS = *
.endif
tls_advertise_hosts = MAIN_TLS_ADVERTISE_HOSTS


# Full paths to Certificate and Private Key. The Private Key file
# must be kept 'secret' and should be owned by root.Debian-exim mode
# 640 (-rw-r-----). exim-gencert takes care of these prerequisites.
.ifndef MAIN_TLS_CERTIFICATE
MAIN_TLS_CERTIFICATE = CONFDIR/exim.crt
.endif
tls_certificate = MAIN_TLS_CERTIFICATE

.ifndef MAIN_TLS_PRIVATEKEY
MAIN_TLS_PRIVATEKEY = CONFDIR/exim.key
.endif
tls_privatekey = MAIN_TLS_PRIVATEKEY


# Pointer to the CA Certificates against which client certificates are
# checked. This is controlled by the `tls_verify_hosts' and
# `tls_try_verify_hosts' lists below.
# If you want to check server certificates, you need to add an
# tls_verify_certificates statement to the smtp transport.
# /etc/ssl/certs/ca-certificates.crt is generated by
# the "ca-certificates" package's update-ca-certificates(8) command.
.ifndef MAIN_TLS_VERIFY_CERTIFICATES
MAIN_TLS_VERIFY_CERTIFICATES = ${if 
exists{/etc/ssl/certs/ca-certificates.crt}\
                                    {/etc/ssl/certs/ca-certificates.crt}\
                                    {/dev/null}}
.endif
tls_verify_certificates = MAIN_TLS_VERIFY_CERTIFICATES



# A list of hosts which are constrained by `tls_verify_certificates'. A host
# that matches `tls_verify_host' must present a certificate that is
# verifyable through `tls_verify_certificates' in order to be accepted as an
# SMTP client. If it does not, the connection is aborted.
.ifdef MAIN_TLS_VERIFY_HOSTS
tls_verify_hosts = MAIN_TLS_VERIFY_HOSTS
.endif

# A weaker form of checking: if a client matches `tls_try_verify_hosts' (but
# not `tls_verify_hosts'), request a certificate and check it against
# `tls_verify_certificates' but do not abort the connection if there is no
# certificate or if the certificate presented does not match. (This
# condition can be tested for in ACLs through `verify = certificate')
.ifndef MAIN_TLS_TRY_VERIFY_HOSTS
MAIN_TLS_TRY_VERIFY_HOSTS = *
.endif
tls_try_verify_hosts = MAIN_TLS_TRY_VERIFY_HOSTS

.endif
#####################################################
### end main/03_exim4-config_tlsoptions
#####################################################



######################################################################
#                   AUTHENTICATION CONFIGURATION                     #
######################################################################


begin authenticators


#####################################################
### end auth/00_exim4-config_header
#####################################################
#####################################################
### auth/30_exim4-config_examples
#####################################################

### auth/30_exim4-config_examples
#################################

# The examples below are for server side authentication

# They allow two styles of plain-text authentication against an
# CONFDIR/passwd file which should have user names in the first column
# and crypted passwords in the second. The columns need to be separated
# by ':'. Please note that apache's htpasswd program generates a file
# in the correct format, but uses a different crypt scheme. So,
# htpassword will _NOT_ work for exim4.

# For CRAM-MD5 exim needs access to the UNENCRYPTED passwd - the example
# below assumes it is available in the third column of CONFDIR/passwd

# Hosts that are allowed to use AUTH are defined by the
# auth_advertise_hosts option in the main configuration. The default is
# "*", which allows authentication to all hosts over all kinds of
# connections if there is at least one authenticator defined here.
# Authenticators which rely on unencrypted clear text passwords don't
# advertise on unencrypted connections by default. You can set
# AUTH_SERVER_ALLOW_NOTLS_PASSWORDS to advertise unencrypted clear text
# password based authenticators on all connections.

plain_server:
driver = plaintext
public_name = PLAIN
server_condition = "${if
crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{/directory-location/passwd}{$value}{*:*}}}}}{1}{0}}"
server_set_id = $2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
# server_advertise_condition = yes
.endif

login_server:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = "${if
crypteq{$2}{${extract{1}{:}{${lookup{$1}lsearch{/directory-location/passwd}{$value}{*:*}}}}}{1}{0}}"
server_set_id = $1
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
# server_advertise_condition = yes
.endif